Annabelle Ransomware : A New Horror Show For Windows Users

The fans of horror shows or movies understand the consequences of encountering with an evil doll named Annabelle. Although, you may also beware of the ransomware virus based on this Annabelle horror movie. Annabelle ransomware is reported to perform various malicious activities onto the affected Windows machine in order to wreak havoc on the system. According to the security researchers, this malware is built on the previously detected Stupid Ransomware virus which was easily decrypted the security expert team. Annabelle ransomware has the ability to disable the Windows Defender and can also deactivate the firewall.

After that, Annabelle ransomware encrypts the data stored on compromised machine by shutting down pre-installed system security programs like Chrome and Process Explorer. Based on the research report published by a reputed security firm, this ransomware attempts to proliferate through infected USB drives. In order to prove its every step as evil as its horror movie counterpart, the Annabelle ransomware disable some crucial programs installed onto the affected computer and then overwrites the system’s master boot record with the help of a boot loader.

After testing the source code of this malware, security researchers found that the Annabelle ransomware automatically gets started whenever the infected users log in to their Windows PC and then close the installed security applications. Soon after its successful invasion, the malware configures malicious entries into the Image File Execution registry in order to block the affected users to launch any security softwares. Furthermore, it also tries to propagate via autoru.inf files, but this technique does not work on the newer version of Windows systems.

Once it manages to infect your machine, Annabelle ransomware reboot the PC and then display a lock screen message which asks affected users to contact the virus developers using provided email address. When you login to the Windows, the threat starts automatically and terminates number of vital programs, such as Task Manager, Process Hacker, Chrome, Msconfig, Process Explorer, Notepad, Opera, Notepad++, bcdedit, Internet Explorer and others. The method of distributing itself via autoru.inf files is completely useless when it comes to the Windows newer version because that do not support the feature like autoplay.

The ransom notification displayed by Annabelle ransomware on contaminated Windows machine has a credits button that when clicked by the affected users displays a screen which states the creator name i.e. iCoreX0812 had made this program in order to allows users to contact them on Discord. In order to provide a final touch to the evil creation of Annabelle ransomware, cyber extortionists decided to run an application which replaces the MBR (Master Boot Record) of the compromised PC. As a result, it displays a screen named ‘props’ whenever the system reboots. However, you should avoid paying any kind of asked ransom fee and remove Annabelle ransomware to prevent further damages.